In association with heise online

18 March 2008, 13:09

Numerous products foul up when processing crafted archives

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Finnish Computer Emergency Response Team (CERT-FI) has released a security advisory on vulnerabilities in various products which misbehave when processing crafted archives. Attackers could exploit these to inject code. CERT-F1 discovered the vulnerabilities in conjunction with the University of Oulu using a fuzzing tool. Fuzzing – testing with randomly generated parameter values in the specified file format – generally discovers validation errors in user input processing routines. Vulnerabilities of this kind can frequently be exploited to inject malicious code.

Updates for the discovered vulnerabilities are already available from 7-zip (version 4.5.7), bzip2 (1.0.5), Debian (libarchive), F-Secure, FreeBSD (libarchive), Gentoo (libarchive), RarLab (Version 3.71) and SuSE (libarchive).

Non-vulnerable products tested include Aladdin, Apple, Citrix, Gfi, Microsoft, Oracle, S60Zip, Secgo and Symantec. The status of the other vendors listed by CERT-FI is unknown.

Where relevant, users should install the released updates as soon as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit